Prosecutors in Finland this week commenced their felony trial in opposition to Julius Kivimäki, a 26-year-old Finnish man charged with extorting a as soon as common and now-bankrupt on-line psychotherapy apply and 1000’s of its sufferers. In a 2,200-page report, Finnish authorities laid out how they linked the extortion spree to Kivimäki, a infamous hacker who was convicted in 2015 of perpetrating tens of 1000’s of cybercrimes, together with information breaches, fee fraud, working a botnet and calling in bomb threats.
In November 2022, Kivimäki was charged with trying to extort cash from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker utilizing the deal with “Ransom Man” threatened to publish affected person psychotherapy notes if Vastaamo didn’t pay a six-figure ransom demand.
Vastaamo refused, so Ransom Man shifted to extorting particular person sufferers — sending them focused emails threatening to publish their remedy notes except paid a 500-euro ransom. When Ransom Man discovered little success extorting sufferers instantly, they uploaded to the darkish internet a big compressed file containing the entire stolen Vastaamo affected person information.
Security consultants quickly found Ransom Man had mistakenly included a complete copy of their dwelling folder, the place investigators discovered many clues pointing to Kivimäki’s involvement. By that point, Kivimäki was now not in Finland, however the Finnish authorities however charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page proof doc in opposition to Kivimäki suggests he loved a lavish way of life whereas on the lam, frequenting luxurious resorts and renting fabulously costly vehicles and dwelling quarters.
But in February 2023, Kivimäki was arrested in France after authorities there responded to a home disturbance name and located the defendant sleeping off a hangover on the sofa of a girl he’d met the night time earlier than. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man introduced an ID that acknowledged he was of Romanian nationality.
A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.
Finnish prosecutors confirmed that Kivimäki’s bank card had been used to pay for the digital server that hosted the stolen Vastaamo affected person notes. What’s extra, the house folder included within the Vastaamo affected person information archive additionally allowed investigators to see into different cybercrime tasks of the accused, together with domains that Ransom Man had entry to in addition to a prolonged historical past of instructions he’d executed on the rented digital server.
Some of these domains allegedly administered by Kivimäki had been set as much as smear the reputations of various corporations and people. One of these was a web site that claimed to have been authored by an individual who headed up IT infrastructure for a serious financial institution in Norway which mentioned the concept of legalizing baby sexual abuse.
Another area hosted a pretend weblog that besmirched the popularity of a Tulsa, Okla. man whose identify was hooked up to weblog posts about supporting the “white pride” motion and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.
Kivimäki seems to have sought to sully the identify of this reporter as properly. The 2,200-page doc exhibits that Kivimäki owned and operated the area krebsonsecurity[.]org, which hosted varied hacking instruments that Kivimäki allegedly used, together with packages for mass-scanning the Internet for programs susceptible to identified safety flaws, in addition to scripts for cracking database server usernames and passwords, and downloading databases.
Ransom Man inadvertently included a replica of his dwelling listing within the leaked Vastaamo affected person information. A prolonged historical past of the instructions run by that consumer present they used krebsonsecurity-dot-org to host hacking and scanning instruments.
Mikko Hyppönen, chief analysis officer at WithSecure (previously F-Secure), mentioned the Finnish authorities have completed “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”
Petteri Järvinen is a revered IT knowledgeable and creator who has been following the trial, and he mentioned the prosecution’s case to this point has been robust.
“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”
Antti Kurittu is an info safety specialist and a former felony investigator. In 2013, Kurittu labored on an investigation involving Kivimäki’s use of the Zbot botnet, amongst different actions Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu mentioned it stays to be seen if the prosecution could make their case, and if the protection has any solutions to the entire proof introduced.
“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu advised KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”
The Finnish every day yle.fi studies that Kivimäki’s legal professionals sought to have their shopper launched from confinement for the rest of his trial, noting that the defendant has already been detained for eight months.
The courtroom denied that request, saying the defendant was nonetheless a flight threat. Kivimäki’s trial is anticipated to proceed till February 2024, partially to accommodate testimony from a lot of victims. Prosecutors are searching for a seven-year sentence for Kivimäki.